Overview
- The U.S. cybersecurity agency added CVE-2026-20182 to its Known Exploited Vulnerabilities list Thursday, setting a May 17 deadline for federal agencies to patch under BOD 22-01.
- Cisco released fixes and reported limited exploitation in May, warning that only upgrading to a fixed release fully resolves the risk with no complete workaround.
- The flaw breaks peering checks in Catalyst SD‑WAN Controller and Manager, letting a remote attacker gain a high‑privilege internal account, reach the NETCONF service, and change SD‑WAN configuration across the network.
- Rapid7, which discovered the bug while studying an earlier SD‑WAN issue, says it targets the vdaemon DTLS service on UDP 12346 and lets an attacker impersonate a trusted peer to then log into NETCONF on TCP 830.
- Cisco published indicators to spot abuse and urged checks for auth.log entries showing “Accepted publickey for vmanage-admin” from unknown IPs and for unauthorized or odd‑time peering events in controller logs.